Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Time Stamp Question

OldManEd
Builder
‎03-17-2014 09:36 AM

Quick question, is Splunk supposed to be able to understand a time stamp string like this;

2014 Mar 14 20:51:10:981 GMT -7

It seems to not understand the "-7" part. The raw data is showing up as simply GMT time.

Tags (3)
0 Karma
Reply

OldManEd
Builder
‎03-17-2014 10:29 AM

My confusion is if altering the props.conf file will override the GMT stamp in the source data. I ~thought~ that if Splunk saw a timezone in the source data, it would take that information first over the props.conf file. I assume I'm wrong on this one and that would be a good thing.

0 Karma
Reply

somesoni2
Revered Legend
‎03-17-2014 10:25 AM

Try using this a TIME_FORMAT in props.conf

TIME_FORMAT = %Y %b %d %H:%M:%S:%3Q %Z %z
0 Karma
Reply

somesoni2
Revered Legend
‎03-17-2014 02:13 PM

Splunk can identify timezone by itself if its in standard format. Since your logs have custom timestamp, You need to specify TIME_FORMAT attribute to enable Splunk to identify the location of timezone in your logs. ("%Z %Z" part). You can specify TZ attribute in case the logs will miss timezone part (in that case it will take the timezone from the TZ attribute).

0 Karma
Reply

OldManEd
Builder
‎03-17-2014 01:41 PM

So, in my case, with the raw data showing

2014 Mar 14 20:51:10:981 GMT -7

I'm hosed unless I can get the user to change his logging format, correct?

0 Karma
Reply

somesoni2
Revered Legend
‎03-17-2014 12:33 PM

As per documentation, it will use TZ from raw data first, if available. (props.conf documentation)

TZ =
* The algorithm for determining the time zone for a particular event is as follows:
* If the event has a timezone in its raw text (for example, UTC, -08:00), use that.
* If TZ is set to a valid timezone string, use that.
* If the event was forwarded, and the forwarder-indexer connection is using the
6.0+ forwarding protocol, use the timezone provided by the forwarder.
* Otherwise, use the timezone of the system that is running splunkd.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎03-17-2014 10:18 AM

That is a non-standard timestamp. A more standard format would be "2014 Mar 14 20:51:10.981-0700". Splunk can be taught to parse your dates, however, by modifying the props.conf file. See http://answers.splunk.com/answers/4176/splunk-time-stamp-error.

---
If this reply helps you, Karma would be appreciated.
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Quantify Your Splunk Investment Impact: Introducing Savings Metrics to Value Insights

Building on the foundation established in our initial Value Insights releases, we are introducing the Savings ...

Event Series: Telemetry Pipeline Management

Balancing Scale and Spend: Gaining Control Over High-Volume Metrics in Splunk Observability Cloud As ...

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Evaluating an enterprise observability platform usually goes like this: fill out a form, get a free trial with ...